Crypt::OpenSSL::PKCS12 Password Truncation Vulnerability

A vulnerability exists in Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl, where passwords containing embedded NULLs are truncated. This issue arises because password parameters in PKCS12.xs are declared as char pointers, which are processed through Perl's default typemap in a way that discards the true length of the password. As a result, any password byte at or after the first NULL is silently omitted. This truncation is problematic for binary, key derivation function (KDF)-derived, or HMAC-derived passwords, which lose entropy without any warning.

Impact

Exploitation of this vulnerability leads to unintended password truncation, causing loss of entropy in passwords derived from binary, KDF, or HMAC sources.

Remediation

Users are advised to update to Crypt::OpenSSL::PKCS12 version 1.95, which addresses this vulnerability by implementing length-aware password handling. Instructions for downloading the latest version are available on the MetaCPAN page for Crypt-OpenSSL-PKCS12.